Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Reports this week on discussions about a hypothetical targeted revision of the EU General Data Protection Regulation came amid calls by the European Commission to simplify the EU rulebook to improve the continent's competitiveness. Discussion resurfaces every so often about the decade-old regulation's fitness in today's digital economy and in an economy that is about 95% small and medium-size businesses.
Member of the European Parliament Axel Voss, a European parliamentary veteran, and privacy activist Max Schrems are both long-time influential voices in Brussels and before the Court of Justice of the European Union when it comes to European privacy — and digital — rules, their implementation and enforcement. Voss was a key architect of the GDPR during the 2012-16 negotiations and since then has regularly commented on the regulation's undue burden on businesses. Schrems has also been a vivid critic of GDPR enforcement by European data protection authorities — or lack thereof as he often argues.
The two publicly discussed a possible approach to a hypothetical GDPR targeted revision, during a Center for European Policy Studies IDEASLAb event in Brussels this week. They proposed a three-tier layered approach to the GDPR that would adjust the legal burden to the size of the organization.
They argued that on one end of the spectrum, small to medium-sized enterprises should have less documentation requirements — something already reflected even marginally in the GDPR and that the new European Commission's Omnibus Simplification Package is expected to address — possibly simplified transparency requirements and no data protection officer obligation.
On the other end, and similar to the size-defining criteria the EU has used in the Digital Services Act for instance, obligations should be different for "companies whose business model is built fundamentally on the processing of personal data, like advertisers."
The one-size-fits-all approach was heavily criticized during GDPR negotiations and led to some marginal adjustments in the final text. In today's largely data-driven economy, it is fair to be asking if size is the relevant criteria or whether risk and relevance should be preferred, or it should be a combination. Just because a company is small — by number of employees, revenue or whatever criteria is used — doesn't by default exclude that it has a data-driven business.
Among others and beyond his feat of arms related to international data transfers, Schrems' GDPR advocacy has focused on enforcement, highlighting the lengthiness and somewhat obscure nature of enforcement procedures across member states.
Voss has long argued that a GDPR "pragmatic revision" is overdue. "We need urgent measures to resolve access issues to datasets, implement a risk-based approach to regulation and create a harmonised and simplified legal framework that promotes both privacy and innovation," he said.
He calls out the fragmentation of interpretation and enforcement of the GDPR, very much in line with the feedback from formal stakeholders the Commission captured in its annual review of the regulation. He argues that not all data processors should be treated equally, a point Schrems shares.
Ongoing negotiations on additional procedural rules related to GDPR enforcement may address some concerns raised by the community in that respect. Industry and civil society diverge on several aspects but share two sets of concerns about the proposal. The fact that it only addresses cross-border cases and does not aim to harmonize domestic data protection rules is seen by many as a missed opportunity. In addition, the procedural rules reform is largely being discussed under the radar of many practitioners, with a risk that the final agreement may still generate uncertainty and lack of clarity for many.
The negotiations may be finalized before summer and the end of the Polish presidency of the European Council. According to the rapporteur MEP Markéta Gregorová, the goal of negotiators involves "finding a sound approach rather than adhering to strict time limits."
Almost 10 years after its adoption and 13 years after it was first drafted, the key question at hand is whether the GDPR's structure and philosophy is still fit for purpose. Since its entry into force in 2016, the GDPR has been the basis for over 80 rulings from the CJEU and has resulted in more than 2,000 fines totaling 4.5 billion euros.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
